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DETAILED ACTION 



Election/Restrictions 

1. Applicant's election of Group 1 (claims 1-26 and 30) in the reply filed on 
1 1/12/04 is acknowledged. Because applicant did not distinctly and 
specifically point out the supposed errors in the restriction requirement, the 
election has been treated as an election without traverse (MPEP § 818.03(a)). 



2. Claims 1-26 and 30 have been examined. Claims 27-29 are pending but 
withdrawn from examination. Applicant is reminded to cancel claims drawn to 
an unelected invention. 

Claim Objections 

3. Claim 21 is objected to under 37 CFR 1 .75(c) as being in improper form 
because a multiple dependent claim should refer to other claims in the 
alternative and cannot depend from any other multiple dependent claim. See 
MPEP § 608.01 (n). Accordingly, claim 21 has not been further treated on the 
merits. 

Claim Rejections - 35 USC § 101 

35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or 
composition of matter, or any new and useful improvement thereof, may obtain a patent 
therefor, subject to the conditions and requirements of this title. 
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Claims 1-26 are rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non-statutory subject matter. Computer software must be embodied 
on computer readable media. 

Claims 1-26 are directed to non-statutory subject matter. Although the claims are 
directed to a system and a method for enabling authentication, the steps are not 
defined in such a way that they could be implemented without the use of 
computers, e.g. implemented by utilizing pens and paper. As a result, the claims 
refer to abstract ideas. 

Furthermore, several claims refer to an application with modules, library and 
objects. However, in order to meet the requirement of patentability, software 
must be embodied on computer readable media. As a result, the claims also lack 
patentable utility. 

4. Claims 1,3-4,6-12,16-17, 19 and 22, 24-26 are rejected by virtue of their 
dependence. 

Claim Rejections - 35 USC §112 

The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

5. Claims 6-7 and 13, 18, 23 are rejected under 35 U.S.C. 112, first paragraph, 
as failing to comply with the enablement requirement. The claims contain 
subject matter which was not described in the specification in such a way as 
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to enable one skilled in the art to which it pertains, or with which it is most 
nearly connected, to make and/or use the invention. 

6. Claims 6 and 7 discuss "a fifth" and "a sixth data". However, the specification 
provides guidance only in regard to "a first", "a second", "a third" and "a 
fourth" data. The specification discusses "a fourth data" being "produced to 
the web requester" (the specification, pg. 12 lines 23-24), which is the same 
entity that creates the "first data", and not the authentication module as 
discussed in the claim language. Consequently, claims 6 and 7 are rejected 
based on the fact that the specification provides no guidance on 
implementation of "the fifth" and "the sixth" data. 

7. Claims 13, 18 and 23 discuss the invention in relation to the specific 
authentication protocols e.g. Basic or Kerberos authentication. Furthermore, 
the claims specify that the authentication challenge is "generated" (claim 18; 
claims 13 and 23 use similar terms). It is not clear how some of the specific 
protocols (Basic for example) can "generate (be /associated/related)" the 
authentication challenge as discussed in the dependent claim. Basic and 
Kerberos authentication protocols do not have features that are recited by 
claims on which claims 13, 18 and 23 are dependent. There no evidence to 
support the claim language as provided in the applicant's specification. 

The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 
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8. Claims 5, 13-15, 18, 23 and 25 are rejected under 35 U.S.C. 112, second 
paragraph, as being indefinite for failing to particularly point out and distinctly 
claim the subject matter that applicant regards as the invention. 

9. Claims 13, 18 and 23 discuss the invention in relation to the specific 
authentication protocols e.g. Basic or Kerberos authentication. Furthermore, 
the claims specify that the authentication challenge is "generated 
(/associated/related)" (claim 18; claims 13 and 23 use similar terms) by one of 
these protocols. It is not clear how specific protocols (Basic for example) can 
"generate" the authentication challenge as discussed in the dependent claim. 
Basic and Kerberos authentication protocol does not have features which are 
called for by claims on that claims 13, 18 and 23 are dependent and no 
evidence to support the claim language which is provided in the applicant's 
specification. For purposes of further examination the examiner treats the 
claim language used in claims 13, 18 and 23 as though the authentication 
challenge is generated by a protocol having similar features to one of the 
recited protocols. 

10. The limitation of claims 14-15: "objects/data store and the registrar are 
distributed to one or more distributed processors" is not understood. It is not 
clear whether the limitation calls on objects/data store operated on different 
machine, whether it refers to a machine that has one or more processors, 
whether it refers to both situations or something else. Similarly the term 
"distributed processors" is not understood. 

1 1 . In claims 5 and 25 the following lack antecedent basis: 
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*\ 

a. Claim 5: "the cache", 

b. Claim 25: "the newly registered", 
Appropriate correction is required. 

12. Claims 1,3-4 and 13-14 are rejected under 35 U.S.C. 102(b) as being 
anticipated by Kessler (Gary Kessler, "Security in Windows NT" 
http://www. garykessler.net/library/ntsecurityMml) . 

13. As per claim 1 Kessler teaches an authentication challenge, wherein a 
windows client receives a first data associated with the communication 
challenge (a random number), which reads on an authentication manager 
adapted to receive a first data associated with the communication challenge. 
The first data is processed into a second data (random number is retrieved by 
the client) related to the first data and the authentication challenge, which is 
communicated to at least one authentication module (encryption). The 
authenticated module produces a third data related to responding to the 
authentication challenge (encrypted random number) (Kessler, pg. 3 first § 
and Figure 1). 

1 4. Kessler also teaches a response to the authentication challenge (Kessler, 
expected response, pg. 3 first § and Figure 1). 

15. As per claim 3 the authentication challenge as taught by Kessler is a multipart 
authentication challenge. 

16. As per claim 4 Kessler teaches an encrypted random number (Kessler, 
expected response, pg. 3 first §). 
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17. As per claim 14 (as best understood) Kessler teaches distributed computers 
(client/server), which inherently use processors to implement operations. 

18. Claims 1,3-4 and 13-14 are rejected under 35 U.S.C. 102(b) as being 
anticipated by Kaeo (Merike Kaeo, "Designing network security", 1999, ISBN: 
1578700434). 

19. Kaeo teaches an authentication challenge (challenge response 
authentication), wherein a peer receives a first data associated with the 
communication challenge (Challenge message), which reads on an 
authentication manager adapted to receive a first data associated with the 
communication challenge. The first data is processed into a second data (ID, 
Random #, Timbuktu) related to the first data and the authentication 
challenge, which is communicated to at least one authentication module 
(Hash Function), The authenticated module produces a third data related to 
responding to the authentication challenge (Hash BADFOOD) (Kaeo, pg.46- 
47, Fig. 2-11). 

20. Kaeo also teaches a response to the authentication challenge (Kaeo, Fig. 2- 
11, step 3). 

21. As per claim 3 the authentication challenge as taught by Kaeo is a multipart 
authentication challenge. 

22. As per claims 4 Kaeo teaches deriving hash (third data) from the second data 
(challenge response, pg.46-47, Fig. 2-11, step 3). 

23. As per claim 13 Digest and NTLM have essentially the same authentication 
principles as the authentication taught by Kaeo. 
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24. Claim 30 is rejected under 35 U.S.C. 102(b) as being anticipated by Hill (Brett 
Hill, " IIS 101: The Basics of IIS Authentication ", 

http://www.windowsitpro.com/Web/Article/Art^ in light 

of Microsoft (Microsoft, "Windows 2000 Server TCP/IP core networking 
guide", 2000, ISBN: 1572318058). 

25. Hill teaches an NT authentication which employs a browser (application) 
being authenticated while accessing network resources. Receiving, 
distributing, producing and storing means are inherent in the NT 
authentication transactions. Also, receiving, distributing and producing 
means are inherently separate from applications (as illustrated by Microsoft, 
pg. 7) since they operate on different OSI layers. 

Claim Rejections - 35 USC § 103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described 
as set forth in section 102 of this title, if the differences between the subject matter sought to 
be patented and the prior art are such that the subject matter as a whole would have been 
obvious at the time the invention was made to a person having ordinary skill in the art to which 
said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

26. Claims 10-12, 15-18, 22-23 and 25-26 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Kessler (Gary Kessler, "Security in Windows NT", 
http://www.garykessler.net/library/ntsecurity.html) in view of Official Notice. 

27. Kessler teaches the authentication challenge and the authentication manager 
as discussed above. Kessler does not explicitly teach a registrar adapted to 
register an authentication object with the class factory and with the data store. 
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Official Notice is taken that it is old and well-known practice to register objects , 
with the class factory and with the data store. One of ordinary skill in art at the 
time of applicant's invention would employ registering authentication objects 
with the class factory and with the data store in order for the object to be 
known and utilized by the system. 

28. Kessler also does not explicitly teach that the application does not have to be 
recoded or recompiled to employ the newly registered authentication object. 
Official Notice is taken that it is old and well-known practice to use 
applications that do not have to be recoded or recompiled in order to employ 
the newly registered object. One of ordinary skill in art at the time of 
applicant's invention would write an application so that the application does 
not have to be recoded or recompiled to employ the newly registered 
authentication object in order not to slow down the application's execution. 

29. Claims 8-9 and 19 and 24 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Kessler (Gary Kessler, "Security in Windows NT", 
http://www.garykessler.net/library/ntsecurfy in view of Itoi et al. 
(Pluggable Authentication Modules for Windows NT) and in further view of 
Official Notice, 

30. As per claim 8 Kessler teaches authentication challenge and authentication 
manager as discussed above. Also, it is implicit that some of the client using 
the authentication challenge as taught by Kessler are Windows 98, NT 2000 
(etc.). Windows Operating Systems products are written in object oriented 
programming language and inherently have a class factory (Dynamic Link 
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Libraries: DLL) and objects. Kessler does not explicitly teach authentication 
objects callable by the authentication manager. 

Itoi et al. teach authentication objects (Itoi et a/., section 2) callable by the 
authentication manager (Itoi et al., Figure 4.2). It would have been obvious to 
one of ordinary skill in the art at the time of applicant's invention to implement 
authentication objects callable by the authentication manager into Kesslefs 
invention as taught by Itoi et al. One of ordinary skill in the art would have 
been motivated to perform such a modification in order to provide a more 
efficient programmable environment (Itoi et a/., Section 1). 
31 .Also, per claim 9 Itoi et al. teach a configuration table (Itoi et a/., section 4). 

32. As per claims 19 and 24 Itoi et al. show several created authentication 
modules (Fig. 4.2). Registering one or more authentication modules after the 
receipt of one or more authentication challenges would be implicit since in 
order to register the appropriate authentication module the authentication 
protocol used must be known. 

33. Claims 2 and 5 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Kaeo (Merike Kaeo, "Designing network security", 1999, ISBN: 
1578700434) and Kessler (Gary Kessler, "Security in Windows NT", 
http://www.garykessler.net/library/ntsecurity.htm^ in view of van Hoff(U.S. 
Patent No.5822539). 

34. Kessler and Kaeo each teach the authentication challenge wherein a third 
data related to responding to the authentication challenge is produced, as 
discussed above. 
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Kessler and Kaeo each do not explicitly teach a cache adapted to store one 
or more third data related to responding to the authentication challenge. 
Van Hoff teaches a pache (van Hoff, col. 1 lines 52-55). It would have been 
obvious to one of ordinary skill in the art at the time of applicant's invention to 
utilize a cache in Kessler and Kaeo's invention as taught by Van Hoff. One of 
ordinary skill in the art would have been motivated to perform such a 
modification in order to provide faster response (van Hoff, col. 1 lines 52-55). 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Peter Poltorak whose telephone number is 
(571 )272-3840. The examiner can normally be reached Monday through 
Thursday from 9:00 a.m. to 4:00 p.m. and alternate Fridays from 9:00 a.m. to 
3:30 p.m. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory Morse can be reached on (571) 272-3838. The fax 
phone number for the organization where this application or proceeding is 
assigned is 703-872-9306. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either Private PAIR or Public 
PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see 
http://pair-direct.uspto.gov. Should you have questions on access to the 
Private PAIR system, contact the Electronic Business Center (EBC) at 866- 
217-9197 (toll-free). 
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